Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Drafting company remote access policy

Status
Not open for further replies.
zviw

zviw

MIS
Oct 11, 2002
34
US
The firm I work for has about 40 employees. We recently put in a Windows Terminal server as well as a Cisco ASA. The idea was to offer remote access to our employees by having them first connect through the Cisco VPN and then connecting to the Terminal server. Everything works.

My boss is concerned about maintaining the network's security with this setup and I've been tasked with drafting a company policy to that end.

I am not particularly concerned about anybody doing things maliciously - they can do that without remote access. I am concerned about stupid things, malware and the things that I don't know about that should concern me. After all, I am new to remote access.

I am not sure where to start.

1 - Is our setup smart?

2 - Is there malware that can affect us through Terminal Server?

3 - What type of things should I be concerned about?

Thanks

Zvi
 
Sort by date Sort by votes
1. VPN is definitely the way to go.
2. malware could affect you via a vpn in the same way it could affect you if you were using a machine at home or in the office. The added dimension is that a VPN goes straight through your firewall. So any thing that runs on someone's machine at home who is also checking warez sites whilst roaming on their shares on your LAN via the VPN can have some pretty disastrous effects. The end user is often the weak point(but not always if firewalls aren't configured properly)

3.The above and also the usual things. There are two ways to let people browse the net at large whilst they VPN to your site. They can browse the web with their home connection and vpn into you OR they can VPN to your site and then browse OUT from your site through your firewall and be subject to the usual controls. Performance is an issue here. google split tunneling for stuff about this. Give the VPN only to people who HAVE to have it-ie remote users and not lazy people who just want to stay at home in PJ's Homer style whilst surfing and pretending to work ;-)
 
Upvote 0 Downvote
Thanks.

BTW, can anything affect our LAN through the Terminal Server connection?

Zvi
 
Upvote 0 Downvote
Not sure what you mean by anything affecting the LAN through the Terminal Server. As a general rule, anything a user can do locally on the LAN, he can do through TS. So make sure user permissions are set correctly and you may want to do some research on locking down a terminal server. For example, on ours, we remove the run command, access to regedit, the ability to shut down the server, etc.
That's why you never want your DC to be a Terminal Server.
 
Upvote 0 Downvote
>Not sure what you mean by anything affecting the LAN through the Terminal Server.<

I mean can malware on a users system affect the Terminal Server?

Zvi
 
Upvote 0 Downvote
I am not totally positive about this answer, but my guess is, if you are using the option to map client drives, it can affect it. In other words, there is an option to map client drives in Terminal Server. This means that if a user logs on from his home computer, his C drive is created as a virtual drive on the Terminal Server. That being said, my guess is, if the terminal server can connect to his C drive and his C drive is infected, then the Terminal Server can pick up the malware.
 
Upvote 0 Downvote
I personally hate VPN's. If a end user at home is using Windows XP Home without a service pack, no AV and their teenage son is constantly browsing for free porn I wouldn't allow it to connect to my network by brining it in and pluging in a CAT5 cable - why do the same but over VPN?

If you really have to have a VPN, I suggest that the VPN endpoint (either a WinNT box or a Cisco box etc.) has packet filters that blocks anything other than port 3389 which is used for TS.

Also lock down your TS connections to the point that it's just a terminal - no SMB connections between the client and the server and make sure all updates and AV DAT's are fully updated ASAP.

Cheers,




Steve.

"They have the internet on computers now!" - Homer Simpson
 
Upvote 0 Downvote
I'm almost with Stevehewitt on this one. The only difference is that if a user wants to connect at home, they should use a company PC/laptop (already has a user agreement with it) or, allow the company IT folks check out the home PC first, and periodically thereafter.

 
Upvote 0 Downvote
We canned our VPN setup about 3 years ago due to issues with malware from users' home machines. The users now RDP directly to the terminal server. Since then we haven't had remote users introduce malware or virii that was on their home machine. Also make sure that you have a really good firewall and good virus and spyware protection on your entire network.

We also have it in our policy that ANY user (including the bosses) introducing malware or virii while remotely connected will have their remote access denied for 3 months. Since our users generally use their remote access after hours and on weekends it is a major inconvenience if they have to come into or stay at the office instead of working working from home. Therefore, they tend to be a more careful. We did this because one user was going through a marital breakup and was using her remote connection for all her personal business.

After the 3rd time that I had to go into the office to check our network (the user was really good at notifying me - per then existing policy - when she got a virus alert or had browser problems) after 11:00 PM the above policy was introduced. The issue wasn't that there was a virus or spyware spreading on our network (our AV and anti-spyware apps caught 99.9% of the junk and either quarantined it or cleaned it) but that I had to go into the office and make doubly sure our network was clean. We're an accounting office and can't afford to have having anything that might remotely affect the security of the network on our system.

Cheers.
 
Upvote 0 Downvote
Zviv,

The answers you received are mostly technical. Your policy should also cover things like;

* How is remote access granted? Does everyone get it? Do you require special permission froma supervisor/business justification?
* How often is remote access reviewed?
* Add employee termination and inception procedures
* What auditing mechanisms are in place to log access

There is much more to consider. Acceptable usage, do you allow internet browing? What applications shall be available, etc.

Best of luck!

~wmichael

"small change can often be found under seat cushions
 
Upvote 0 Downvote
There are some hardware solutions out there that can help with insisting on client machines having certain levels of software before being allowed in. Citrix Access Gateway is one that I am fairly ua-fait with. It might be worth having a look at that.

However your policy has to be enforceablr to all who use it. Do you allow it 24/7 ? Breech procedures as well.

[blue] A perspective from the other side!![/blue]

Cheers
Scott
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DrB0b
  • Locked
  • Question
Help Please, Trying to Convince Company Mixing Personal and Corporate Email is Bad Practice
Replies
9
Views
565
DrB0b
DrB0b
nakbrooks
  • Locked
  • Question
Configuring NAT on SonicWall TZ210 to access ADSL router from LAN
Replies
0
Views
111
nakbrooks
nakbrooks
jkudz
  • Locked
  • Question
Remote Registry access without File/Print Sharing Enabled
Replies
1
Views
70
PcLinuxGuru
PcLinuxGuru
Hokie97VT
  • Locked
  • Question
Safest remote desktop software within corporate network
Replies
5
Views
130
fisheromacse
fisheromacse
DawnP
  • Locked
  • Question
Documentation Needed Showing Importance of Access Control
Replies
1
Views
74
Textron68
Textron68

Part and Inventory Search

Sponsor

Back
Top